1.  Risk Assessment:

​

Conducting a risk assessment is the first step in establishing a cyber security program.  A risk assessment will give the cyber security and management teams a list of risks that must be addressed immediately, such as catastrophic risks to the company, and those that can be phased in over time.  By mobilizing the cyber security team to perform the immediate risk mitigation activities, risk is quickly reduced and momentum generated.  An annual risk assessment should be conducted and improved upon as a company’s capabilities to perform a risk assessment improves.  A well-executed risk assessment is critical to identify catastrophic risks, build momentum and establish an ongoing risk management process.

2.  Maturity Assessment:

​

A maturity assessment measures your cyber security program’s capabilities.  Knowing your capabilities and where to improve them is the only sustainable way to confront current and future threats.  A maturity assessment is also used, along with your risk assessment, to build a cohesive cyber security strategy and roadmap.  Combining the knowledge of your current capabilities with targeted investments in your program is invaluable to a CIO.

3.  Governance:

​

Governance will enable your cyber security program to adapt and respond to risks and incidents.   Hiring the right cyber security leaders and ensuring they are supported by C-Level executives is required to have an effective program.  Due to the magnitude of the risks associated with the possible hack or data breach, cyber security should be discussed at the board of directors’ meetings. With the right leaders and support structures in place, you will have the peace of mind that your risks are being managed.

4.  Strategy:

​

Creating a strategy brings direction, clarity and alignment to a program.  A strategy gives the cyber security team direction and purpose, while the executive management team gains clarity and rational.  Another benefit of a cohesive strategy is the alignment between your program and business goals.  A well-constructed strategy will ensure your program receives the support from both executive and execution teams putting it on the right track.

5.  Get Help:

​

Starting a serious cyber security program can be a daunting task.  Luckily, there is help available by experts to get started.  Using experts will reduce the time and cost of establishing your program, while improving the quality of work delivered.  Experts can quickly target areas that need attention and reduce risk rapidly.  A benefit of using experts versus novices is less time spent on execution.  Thus, overall costs are reduced.  Having confidence in your results is essential to reducing risk; otherwise, the program is an academic exercise best not to be done at all.

These 5 tips will help you take the mystery and anxiety out of establishing a cyber security program.